If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I just noticed that in ZA Program Control LSA Shell (Export Version) was added automatically (without notifying me), with green check marks in both the Access-Trusted and Access-Internet (and ?'s in the Server-Trusted and Server-Internet). It didn't ask to allow it, it just did it (and I happened to notice).

I'm not sure when it happened, but I was just at the library using their free wifi (which comes up in the Internet Zone, *not* the Trusted Zone, as it should) and when I checked my ZA Program Control, that's when I noticed it. I freaked out a bit and just immediately removed it from the ZA Program Control. But I do recall that the details of it did say Microsoft and I also did a search of my computer for lsass.exe and only one comes up in the C:\WINDOWS\System32 folder (which is where it's supposed to be).

Any ideas what this is about? (It's never come up before when using the wifi at the library, or dial-up at home -- though I do recall it popping up from time to time on my old computer, and I always just removed it...) Thoughts?

Also, is there a log somewhere that will show it getting added and what it was doing?

<blockquote><hr>bloomcounty wrote:
I just noticed that in ZA Program Control LSA Shell (Export Version) was added automatically (without notifying me), with green check marks in both the Access-Trusted and Access-Internet (and ?'s in the Server-Trusted and Server-Internet). It didn't ask to allow it, it just did it (and I happened to notice).

I'm not sure when it happened, but I was just at the library using their free wifi (which comes up in the Internet Zone, *not* the Trusted Zone, as it should) and when I checked my ZA Program Control, that's when I noticed it. I freaked out a bit and just immediately removed it from the ZA Program Control. But I do recall that the details of it did say Microsoft and I also did a search of my computer for lsass.exe and only one comes up in the C:\WINDOWS\System32 folder (which is where it's supposed to be).

Any ideas what this is about? (It's never come up before when using the wifi at the library, or dial-up at home -- though I do recall it popping up from time to time on my old computer, and I always just removed it...) Thoughts?

Also, is there a log somewhere that will show it getting added and what it was doing?

<hr></blockquote>Your using a Very Old version of Zone Alarm Free..a.) have you Regularly Updated your Anti-Virus and Anti-Spyware?b.) have you kept WindowsXP updated with Service Pack 2 and all the Current Windows Updates?Depending on your os Status, you could have the Sasser or msblast virus..

It seems you have asked this question once before and got many replies - refresh your memory - click here &gt; http://forums.zonelabs.org/zonelabs/...ssage.id=16230
- and read thru all of the replies - again. LSA is a Microsoft service.<hr>From ProcessList.com<hr>What is lsass.exe?

lsass.exe (LSA Shell (Export Version)) is an executable from the software Microsoft
Windows
Operating System version 5.1.0 by Microsoft Corporation. lsass.exe version 5.1.0 is most commonly found under the directory &quot;system32&quot; with a creation date of August 23, 2001. This is not a known spyware, adware, or trojan executable. Microsoft Windows is the most widely used PC operating system.<hr>LSA Shell (Export Version) = Windows/system32/lsass.exe on the pc - it's essential, keep it.<hr>From neuber.com<hr>What is lsass.exe? Is lsass.exe spyware or a virus?<hr>Process name: Local security authentication serverProduct:WindowsCompany:MicrosoftFile: lsass.exeSecurity Rating:

&quot;lsass.exe&quot; is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. More info

Note: The lsass.exe file is located in the folder C:\Windows\System32. In other cases, lsass.exe is a virus, spyware, trojan or worm!rom neuber.com<hr>Thanks to Guru Oldsod for this -
<hr>

Is that Isass.exe or Lsass.exe?

Lsass.exe is a legit Windows component, if it is in the C\WINDOWS\System32 folder. Just look for it and right click it and examine the properties. The time and date should coincide with the Windows Install. Plus the version and owner can be found verifing if it is from Microsoft.

Yes there are worms and various malware posing as lsass.exe
These should be held in check if you have all of Microsoft the updates. And scan with an updated antivirus.

Dening access in the ZA Program Control will not stop it from runninng. That requires the &quot;Kill&quot; in the right click Options in the ZA itself. So yes, it will still appear in the Task Manager.

It does not require Internet access or any server rights of any kind. Just Trusted Access and a three green bar rating. Ask for internet access is acceptable...<hr>:0NaiveMelody NYC 2-15-08 - How's It Going To Be - Third Eye Blind

I think you can allow it for the local network or very trusted network. So put a &quot;?&quot; for the internet access when it comes back.

ZA normally puts untrusted networks such as wifi in the Internet zone, so I have no problem with that part, as you do.

Prof_Fate, 6.5 isn't thaaaaaat old. It's the last one small (without the disabled suite features) and has no conflicts with other security apps I think ZA`would have alerted if the worm hit, but who knows on a public wifi really.

I think you can allow it for the local network or very trusted network. So put a "?" for the internet access when it comes back.

ZA normally puts untrusted networks such as wifi in the Internet zone, so I have no problem with that part, as you do.

Prof_Fate, 6.5 isn't thaaaaaat old. It's the last one small (without the disabled suite features) and has no conflicts with other security apps I think ZA`would have alerted if the worm hit, but who knows on a public wifi really.
<hr></blockquote>
Correct.

Actually the Sasser worm exploit had been fixed in windowsXP by the updates prior to XP SP2 and is patched in the XP SP2. Not a risk anymore for a properly updated windows XP.

Active Directory (Local Security Authority)
Active Directory runs under the LSASS process and includes the authentication and replication engines for Windows 2000 and Windows Server 2003 domain controllers. Domain controllers, client computers and application servers require network connectivity to Active Directory over specific hard-coded ports in addition to a range of ephemeral TCP ports between 1024 and 65536 unless a tunneling protocol is used to encapsulate such traffic, An encapsulated solution might consist of a VPN gateway located behind a filtering router using Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must allow IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator Traversal NAT-T (UDP port 4500), and IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500) through the router as opposed to opening all the ports and protocols listed below. Finally, the port used for Active Directory replication may be hard-coded as described in the following article in the Microsoft Knowledge Base:

The lsass.exe will often request or require internet access when the IPSec is enabled or used and for the VPN. The remainder of the requests is for the lan itself and no further. If the user does not want the lsass.exe to be available or started in the windows for connections, then the user should disable the IPSec , NetLogon, NT LM Security Support Provider, Protected Storage and the Security Accounts Manager Services.

Removing an entry in the ZA Program list to run away from it is self defeating. A software firewall is designed to control the ports, protocols and IP and the applications, not ignore them!

Windows or any computer is designed to connect and interact with other computers in various ways. To hide or destroy that connecting aspect of a computer is self defeating. To control the connecting aspect of a computer is the acceptable approach and method.

Funny how posters panic at some new entry in the ZA Program list but forget to read the firewall logs and see if there really was an outbound connection made in the first place and to where and by what ports and protocols and what were the incoming connections. Or post the log entries for a proper breakdown and analysis. Oldsod

<blockquote><hr>Oldsod wrote:
Funny how posters panic at some new entry in the ZA Program list but forget to read the firewall logs and see if there really was an outbound connection made in the first place and to where and by what ports and protocols and what were the incoming connections. Or post the log entries for a proper breakdown and analysis. Oldsod
<hr></blockquote>

This is actually what I wanted to do (and I believe I asked about where I could find the log entry that showed what it was doing when it was automatically added to Program Control). It did not ask me to allow it to access anything or add it, but it showed up on its own in Program Control (with *two* green check marks -- Access-Trusted *and* Access-Internet, though you said it should only have been Access-Trusted, right?).

1. I still don't understand the reason it popped up -- or, more importantly, it's okay that it popped up in Program Control on its own?

2. Where is the log located that will show if it made a connection (and to where) and/or when it was added to Program Control?

3. Why was it added with green check marks for *both* Access-Trusted and Access-Internet?

I use DIAL-UP 99.9% of the time (except when using free wifi at the library to download podcasts or watch videos at reputable sites -- and it *might* have been at this time, when using free wifi, when it was added automatically, but hopefully the log will tell?)

Also, I did look at my old thread -- this is a somewhat different situation.

Active Directory (Local Security Authority)
Active Directory runs under the LSASS process and includes the authentication and replication engines for Windows 2000 and Windows Server 2003 domain controllers. Domain controllers, client computers and application servers require network connectivity to Active Directory over specific hard-coded ports in addition to a range of ephemeral TCP ports between 1024 and 65536 unless a tunneling protocol is used to encapsulate such traffic, An encapsulated solution might consist of a VPN gateway located behind a filtering router using Layer 2 Tunneling Protocol (L2TP) together with IPsec. In this encapsulated scenario, you must allow IPsec Encapsulating Security Protocol (ESP) (IP protocol 50), IPsec Network Address Translator Traversal NAT-T (UDP port 4500), and IPsec Internet Security Association and Key Management Protocol (ISAKMP) (UDP port 500) through the router as opposed to opening all the ports and protocols listed below. Finally, the port used for Active Directory replication may be hard-coded as described in the following article in the Microsoft Knowledge Base:

The lsass.exe will often request or require internet access when the IPSec is enabled or used and for the VPN. The remainder of the requests is for the lan itself and no further. If the user does not want the lsass.exe to be available or started in the windows for connections, then the user should disable the IPSec , NetLogon, NT LM Security Support Provider, Protected Storage and the Security Accounts Manager Services.

Removing an entry in the ZA Program list to run away from it is self defeating. A software firewall is designed to control the ports, protocols and IP and the applications, not ignore them!

Windows or any computer is designed to connect and interact with other computers in various ways. To hide or destroy that connecting aspect of a computer is self defeating. To control the connecting aspect of a computer is the acceptable approach and method."

Yes of course it is okay it is in the ZA program list. It is a windows component.
Did it actually "popup" or was this merely added to the ZA program list.
Open the Alerts and Logs and select the Log Viewer or open the ZALog.txt in the WINDOWS\Internet Logs.
The lsass.exe does need both internet access and trusted access as described in the quote from microsoft kb.
The real question remains if the lsass.exe actually did make any outbound connections or did windows just activate the lsass.exe when started at the open wireless lan and the ZA simply recognized the event.
It does not matter if you have avg or spybot.These are unrelated.
Actually no, this is still the same topic and I will not explain any further.
No doubt your other threads in different forums yield similar answers.

Oldsod -- Here's the answers to your questions...

<blockquote><hr>Oldsod wrote:
Did it actually &quot;popup&quot; or was this merely added to the ZA program list.
Open the Alerts and Logs and select the Log Viewer or open the ZALog.txt in the WINDOWS\Internet Logs.<hr></blockquote>

As I stated, there was no &quot;pop-up&quot; asking me to allow it. I just happened to notice it in the Program Control when I checked it while using the wifi at the library. It was never added automatically like that on previous occasions I used the wife there. Only this time.

I just checked all the internet logs back to 1/24/08 and did a search for &quot;lsass&quot; and nothing came up. Should it have shown up in the log somewhere if it got added automatically to the Program Control?

<blockquote><hr>Oldsod wrote:
The real question remains if the lsass.exe actually did make any outbound connections or did windows just activate the lsass.exe when started at the open wireless lan and the ZA simply recognized the event.
<hr></blockquote>

Since I could not find &quot;lsass&quot; listed in any of the logs, does that mean it did not make any outbound connection?

If it didn't and Windows just activated it (for some reason only this time) and ZA recognized the event, would that still show up in a log somewhere?